rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add AdGuard Home for network-wide DNS ad blocking

Browse source 
New services/adguard.nix runs AdGuard Home on the mediaserver with DoH
upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens
on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-22 13:40:30 +01:00
parent 12a8a4d88f
commit 919c991e3d
3 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common.nix
View file

@ -32,6 +32,7 @@
./services/authelia.nix ./services/authelia.nix
./services/homepage.nix ./services/homepage.nix
./services/arr-interconnect.nix ./services/arr-interconnect.nix
./services/adguard.nix
]; ];
### Make build time quicker ### Make build time quicker

41
services/adguard.nix Normal file
View file

@ -0,0 +1,41 @@
# services/adguard.nix — AdGuard Home network-wide DNS ad blocker
{ config, lib, pkgs, ... }:
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
services.adguardhome = {
enable = true;
# Web UI bound to localhost; nginx reverse-proxies at adguard.nordhammer.it
host = "127.0.0.1";
port = 3000;
# Allow UI changes (blocklists, rules, clients) to persist
mutableSettings = true;
settings = {
dns = {
bind_hosts = [ "0.0.0.0" ];
port = 53;
# DNS-over-HTTPS upstreams — encrypts queries to resolvers
upstream_dns = [
"https://dns.cloudflare.com/dns-query"
"https://dns.quad9.net/dns-query"
];
bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
cache_size = 4194304;
cache_ttl_min = 60;
};
filters = [
{ enabled = true; id = 1; name = "AdGuard DNS filter";
url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; }
{ enabled = true; id = 2; name = "AdAway Default Blocklist";
url = "https://adaway.org/hosts.txt"; }
{ enabled = true; id = 3; name = "OISD Big";
url = "https://big.oisd.nl/"; }
];
};
};
# LAN DNS — router blocks WAN:53 so this is effectively LAN-only
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
};
}

5
services/nginx.nix
View file

@ -101,8 +101,9 @@ in
"torrent.nordhammer.it" = proxy 8080; "torrent.nordhammer.it" = proxy 8080;
# --- Other --- # --- Other ---
"games.nordhammer.it" = proxy 8787; "games.nordhammer.it" = proxy 8787;
"search.nordhammer.it" = proxy 8087; "search.nordhammer.it" = proxy 8087;
"adguard.nordhammer.it" = proxy 3000;
# --- Protected by Authelia --- # --- Protected by Authelia ---
"camera.nordhammer.it" = protectedProxy 1984; "camera.nordhammer.it" = protectedProxy 1984;